"Craig A. Johnston" <caj@tower.stc.housing.washington.edu> wrote:
John A. Perry wrote:
First of all, I hope you don't mind me posting this to a couple of lists as I find your questions pertinent and should be of value to many readers.
Oops, I actually meant to direct it to the list myself, but forgot to edit my headers. Sure.
To what extent can the operator of such a remailer really hide his actual site?
It depends on the level of control the remailer operator has on the site that the remailer operates from.
Assume root.
What if the remailer operator is not root? I will offer to forward mail for MX records to any address via my system (myriad.pc.cc.cmu.edu). If you want to run a remailer, and have it be completely hidden from nameserver lookups, ask John Perry to create an MX record for your domain which points to myriad.pc.cc.cmu.edu, and tell me the address you want it forwarded to. I will configure my SMTP daemon to forward all mail to your domain to the email address your remailer is run on.
I know that you can set the 'masquerade as' thing in sendmail, but of course any other SMTP agents you deal with are going to correctly identify you when you 'HELO' and you're going to wind up in the header, somewhere... (well, except smail 3.1, and probably others.) -- I'm assuming here the best one will be able to do will be equivalent to a forgery via port 25.
Well, to obscure the origin of your outgoing mail, you could simply forward via another remailer. However, delivering directly to SMTP port 25 would probably be a good idea. Sendmail has an option to set the from using -f, but you have to have it configured to allow it. Normally only root, uucp and daemon are allowed to use this option.